QANTAS Cyber Incident

[sudoer]

There's no ID checking on domestic flights. Simply book your flights as your favourite Platinum 1.

I'm not sure that Qantas recognises P1s well enough (esp on domestic routes) to justify committing a federal offence.

 

[Aeryn]

TLDR: They have to make any such announcements (that may affect the stock price) in such a way that everyone finds out at the same time.

You cannot guarantee that when sending out 6M emails

Its not like someone is manually sending each individual email. Once they have the data, it is automated, a simple script to do a look-up and send for each customer OOTB salesforce.

The fact that SMH had all the stats 4 hours ago means the bot has had plenty of time to email the 5.7; and Id argue it was more important to contact those with the most data leaked first before those with only 1 or 2 attributes.

 

[justinbrett]

Seriously? You think its more important to provide a media update with total stats rather then giving the affected customers information re which bit of their personal data were leaked.

Qantas has a duty of care to impacted customers, the media and those who were not directly impacted can wait for their gossip.

You can walk and chew gum.

QF board would have had the overall stats to assess the damage. Easy for a PR person to send out a presser, while at the same time emails go about one by one to 6 million people. These are 6 million different emails not an email sent to 6 million people so even the fastest system on the planet will hours if not days for that.

 

[AuSammy]

Seriously? You think its more important to provide a media update with total stats rather then giving the affected customers information re which bit of their personal data were leaked.

Qantas has a duty of care to impacted customers, the media and those who were not directly impacted can wait for their gossip.

They have a duty of care to the stock exchange and ASIC to release the information as soon as possible and not wait for email systems to churn through 6m deliveries.

 

[muppet]

I’m sure QF is working through the emails. Giving it to the media in advance is appropriate as it ensure many people get the information as quickly as possible. I’m amazed at the number of people who say “i haven’t been notified” when they clearly have as they know to say “I haven’t been notified”. Multiple communication channels are being used, if the mass one gets to you before the personal one - then great, it worked!

 

[henrus]

Still no email from Qantas. I wonder if they are saving the worst till last?

I did however get a very legit looking email from my bank asking me to email them my password ASAP otherwise they’d close my account. Don’t stress everyone I responded promptly.

 

[oz_mark]

Its not like someone is manually sending each individual email. Once they have the data, it is automated, a simple script to do a look-up and send for each customer OOTB salesforce.

The fact that SMH had all the stats 4 hours ago means the bot has had plenty of time to email the 5.7; and Id argue it was more important to contact those with the most data leaked first before those with only 1 or 2 attributes.

The press release is on their website ( https://www.qantasnewsroom.com.au/m...-qantas-cyber-incident-wednesday-9-july-2025/ ). Seems a reasonable comms strategy.

 

[offshore171]

Its not like someone is manually sending each individual email.

No one remotely suggested that.

Once they have the data, it is automated, a simple script to do a look-up and send for each customer OOTB salesforce.

It's not simultaneous.

The fact that SMH had all the stats 4 hours ago means the bot has had plenty of time to email the 5.7; and Id argue it was more important to contact those with the most data leaked first before those with only 1 or 2 attributes.

I would encourage you you read up on the requirements of the Continuous Disclosure rules.

Everyone has to be able to receive the announcement simultaneously - including those who aren't involved in the breach, and may not even be customers. But they may be buyers or sellers of the stock.

Market sensitive announcements cannot be trickled out to a subset of the market.

The usual route is via a company press release and a simultaneous announcement to the ASX

 

[dpeter]

I got the email with this leaked:
- Name
- Email Address
- Qantas Frequent Flyer Number
- Tier
- Points Balance
- Status Credits

Anyone had any luck getting compensation? 100k points may suffice

 

[justinbrett]

No one remotely suggested that.



It's not simultaneous.



I would encourage you you read up on the requirements of the Continuous Disclosure rules.

Everyone has to be able to receive the announcement simultaneously - including those who aren't involved in the breach, and may not even be customers. But they may be buyers or sellers of the stock.

Market sensitive announcements cannot be trickled out to a subset of the market.

The usual route is via a company press release and a simultaneous announcement to the ASX

Agree - let’s say it sends 10 emails a second which would not be a bad benchmark for an as-hoc script; that’s 600,000 seconds, or 10,000 minutes, or 166 hours - basically a full week.

It appears Amazon SES servers have a limit of 14 per second so those numbers aren’t far off.

So if it can send them out in 24-48 hours I don’t think that’s unreasonable at all. It may take closer to a week.

 

[offshore171]

I got the email with this leaked:
- Name
- Email Address
- Qantas Frequent Flyer Number
- Tier
- Points Balance
- Status Credits

A very convincing phishing email could be constructed from that info!

 

[DejaBrew]

Once they have the data, it is automated, a simple script to do a look-up and send for each customer OOTB salesforce.

If they’re doing a mass send from Salesforce Sales Cloud (which I would highly doubt), then they’re limited by default to 5000/day. If they’re using Marketing Cloud, it’s a soft limit of 2M/day per IP address. I would expect any other alternative platform to have similar daily limits.

 

[RooFlyer]

I would encourage you you read up on the requirements of the Continuous Disclosure rules.

Agree. Listing rules trump responsibility to individuals. Listing rules also hold Directors to legal account; customers can't do that any meaningful degree.
___________________

BTW, I hardly ever get malicious-type spam e-mail (since I changed it abt 18 months ago) or phone calls. I've carefully employed certain strategies to maintain that.

Today, I've received three nasty-looking e-mails and two phone calls, which from the voice mail transcripts, were dodgy. I'm sure its just a coincidence.

 

[justinbrett]

If they’re doing a mass send from Salesforce Sales Cloud (which I would highly doubt), then they’re limited by default to 5000/day. If they’re using Marketing Cloud, it’s a soft limit of 2M/day per IP address. I would expect any other alternative platform to have similar daily limits.

2M a day equates to 23 per second, which is more than Amazon (14) but in the same ballpark.

 

[Aussie_flyer]

Agree. Listing rules trump responsibility to individuals. Listing rules also hold Directors to legal account; customers can't do that any meaningful degree.
___________________

BTW, I hardly ever get malicious-type spam e-mail (since I changed it abt 18 months ago) or phone calls. I've carefully employed certain strategies to maintain that.

Today, I've received three nasty-looking e-mails and two phone calls, which from the voice mail transcripts, were dodgy. I'm sure its just a coincidence.

Well Qantas are saying they don't believe the data has been released yet. Which would make sense if they are still demanding a ransom

 

[There'sOnlyOneJimmy]

The Age is reporting that some CL members are included in the breach…

 

[mrsterryn]

Had received the second letter. Still waiting for my "exposure " letter.
Interesting my meta has had two "change passwords" in one day .
Husband has had numerous "spam" calls

 

[There'sOnlyOneJimmy]

That requires:
Phone number
Gender
Meal preference (if any)….

and DOB

My apologies; I went off half roostered…

 

[gtrod]

Anybody with status uses their Qantas app / website enough to see the erroneous booking.

I'm sure people using this one weird trick are smart enough to book same day or night before. I doubt everyone is checking the app several times a day.

That said I'd probably want to do some screening to avoid being permanently banned should my mystery flyer play up midflight

That would be my main concern. Or some strange requests/remarks added to your profile by the CSM that you remain unaware of.

I'm not sure that Qantas recognises P1s well enough (esp on domestic routes) to justify committing a federal offence.

In an absolute worst case the maximum sentence is 12months. I think some AFFers might be willing to risk it for their first trip to the CL

Of course with massive datasets like this one it's quite likely you can find many accounts matching your first and last name. Simply pick the best one if you want to keep name the same and avoid committing an offense.

 

[justinbrett]

I'm sure people using this one weird trick are smart enough to book same day or night before. I doubt everyone is checking the app several times a day.



That would be my main concern. Or some strange requests/remarks added to your profile by the CSM that you remain unaware of.



In an absolute worst case the maximum sentence is 12months. I think some AFFers might be willing to risk it for their first trip to the CL

Of course with massive datasets like this one it's quite likely you can find many accounts matching your first and last name. Simply pick the best one if you want to keep name the same and avoid committing an offense.

Yep but most people would have the app with push notifications enabled so you’d see “available for check in” and “now boarding” etc.